Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months

Presented at Black Hat USA 2019, Aug. 8, 2019, 11 a.m. (50 minutes)

Ever want to talk to someone that runs a bug bounty program and trade best practices and horror stories? Join this panel of bounty managers for real talk on signal vs noise, ROI, interacting with bounty hunters, and all the little things they wish they'd known before learning the hard way. Panelists will share strategies for day to day operations, triage strategies and scope setting, and chat about which vulnerability types are found most often and why they still end up in production code after over a decade of advances in security tooling and secure development practices.

Presenters:

• Josh Jay - Application Security Lead, Major Film Studio
  Josh Jay is an ethical hacker and researcher based out of Los Angeles California. He began his career in social engineering and interal and wireless network penetration testing before pivoting to application security. In his previous role at a fortune 100 he designed, built, and managed aviation's first public bounty program which subsequently won multiple awards. Josh now manages application security for a major film studio.
• Greg Caswell - Application Security Team Lead, Indeed
  Greg Caswell is an engineer at heart who enjoys helping make software systems slightly less terrible. For the past five years he has been building and managing an application security team at Indeed, responsible for teaching security concepts to developers, assessing the security of 1000’s of applications, triaging bug bounty submissions, and automating as much as they can in the process. He holds degrees in electrical and computer engineering. Outside of security, he enjoys bee-keeping, aquaponics, and cooking.
• Shannon Sabens - Security Program Manager, Trend Micro
  Shannon Sabens has 20 years of experience managing programs in security, anti-malware and software vulnerability research and response coordination. Shannon’s long history in the industry has taken her to Symantec, HP, Microsoft and Trend Micro, managing partner and customer relationships, and prioritizing day-to-day work in the labs. Currently, she is the Security Program Manager for Trend Micro’s Zero Day Initiative, where she has purchased vulnerability reports/exploits and coordinated vulnerability disclosures for over 4,000 cases. During her tenure, the Zero Day Initiative has arguably grown to be the largest known curated collection of vulnerability reports and exploits globally.
• Jarek Stanley - Senior Program Manager, Microsoft
  Jarek Stanley is the Senior Program Manager leading Microsoft’s Bug Bounty Program. His role and research focus on the communities and economies underlying vulnerability research and disclosure. Prior to joining Microsoft he led the R&D program for the Bluetooth SIG and received his Master of Arts in International Economics from Johns Hopkins University SAIS.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#bounty-operations-best-practices-and-common-pitfalls-to-avoid-in-the-first-6-12-months-17346
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Bounty Operations Best Practices and Common Pitfalls to Avoid in the First 6-12 Months.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Bounty Operations Best Practices and Common Pitfalls to Avoid in the First 6-12 Months.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=8LxGqJ46Xqs

Similar Presentations:

• GrrCON 2018 / Bounty Hunters
• BSides Austin 2016 / If You Can't Beat 'Em, Join 'Em: Tips For Running a Successful Bug Bounty Program
• Black Hat USA 2017 / Fad or Future? Getting Past the Bug Bounty Hype